On Thu, 17 Feb 2011 10:26:51 -0600, Eric Bielefeld <eric- ibmm...@wi.rr.com> wrote:
>I have two questions about security. > >What is the difference between R-INACT and REVOKED? I know what revoked is, but I'm not sure what R-INACT is exactly. I have searched the Security Server bookshelf, and R-INACT is not listed there. At least its not on the z/OS R9 bookshelf that I have on CD. > >Another related question I have. If RACF is set up to revoke userids after 45 days of inactivity, will the user show up as revoked after that 45 days? I had heard that it only showed up as revoked if the user tried to log on after the period of inactivity. So even if the user didn't try to log on for 60 days in my example, he would still show up as "REVOKE DATE=NONE after 50 days. Is that correct? > >Thanks, >-- >Eric Bielefeld >Systems Programmer Eric - Can't help you with the R-INACT but here is the revoked information from the 1.11 RACF Security Administrators Guide: .2.5 Revoking Unused User IDs (INACTIVE Option) The INACTIVE operand of the SETROPTS command causes RACF to revoke the user's right to use the system if the user ID has remained unused beyond a specified number of days. RACF revokes the user the next time the user attempts to enter the system. The following example specifies that RACF revoke a user ID if it is unused for over 30 days: SETROPTS INACTIVE(30) If you issue the SETROPTS INACTIVE(30) command and a user has not done any of the following in 31 days: Logged on Submitted a job Changed their password or password phrase by any method Attempted an unsuccessful logon Received a directed command or output from RACF that user is considered revoked. However, the user is not actually revoked and the output of the LISTUSER command does not show that the user is revoked until the user next attempts to log on or submit a job. When you allow the user to start using the system again (using the RESUME operand on the ALTUSER command), RACF resets the effective date with which the period of inactivity starts. When you define a new user ID, the user's last access date is set to the user ID's creation date. If the user ID is not used within the number of days specified by SETROPTS INACTIVE, the user ID will be revoked. When you issue the LISTUSER for a new user ID that has never been used, the last access date will be listed as UNKNOWN. If NOINACTIVE is in effect, RACF does not check the user ID against an unused user ID interval. If NOINITSTATS is in effect, the INACTIVE, REVOKE, HISTORY, and WARNING options cannot be used. HTH ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html